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DETAILED ACTION. 

1. This action is in reply to applicant's correspondence of 02 May 2005. 

2. Claims 1-12,16,17 are pending for examination. 

3. Claims 1-12,16,17 are rejected. 

aaim Rejections '35 use §112 
The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claim 3 recites the limitation " level in the directory " in claim 3. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1-12,16,17 are rejected under 35 U.S.C 103(a) as being unpatentable over Porras 
et al, U.S. Patent 6,704,874 Bl, and further in view of Beardsley et al, U.S. Patent 5,471,631. 

4. As per claim 1; "A system for detecting intrusions on a host [Porras et al, col. 1, lines 20- 
31, col. 2,lines 19-38, col. 3,lines 46-62, col. 12,lines 8-59], comprising: 
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a sensor for collecting information including events and timestamps from a logfile 

[Porras et al, col. l,lines 34-62, col. 52-65, col. 3,lines 30-40,54-62, col. 6,lines 1- 

57, col. 10,lines 39-45, col. 13,lines 15-23]; and 

an analysis engine configured to 

identify a backward time step in the logfile by identifying a first entry for 
which an associated first log entry time is earlier in time than a second log 
entry log entry time associated with a second log entry entered in the log 
prior to the first entry, [Porras et al, col. 3,lines 30-40, col. 6,lines 13-col. 
7,line 8, col. 12,lines 45-58, whereas the general timestamp/temporal 
nature of event log timestamps processing is taught per se.], 
correlate the backward time step with an event, and 
assign a suspicion value to the event [Porras et al, col. l,hnes 34-col. 
2,line 65, col. 6,line 58-col. 7,line 8, col. 8,lines 37-col. 9,line 6]." 



6. Claim 2 additionally recites the limitations that; "The system as recited in claim 1, 
wherein the analysis engine is configured to identify a time step as forward if a timestamp of an 
entry in the logfile is later than an preceding entry in the logfile, and identify a time step as 
backward if a timestamp of an entry in the logfile is earlier than an preceding entry in the 
logfile.". The teachings of Porras et al (col. l,Hnes 34-col. 2,line 65, col. 3,lines 30-40,54-62, 
col. 6,Iines 1-57, col. 8,lines 37-col. 9,Hne 6, col. 10,lines 39-45, coL 13,Iines 15-23) suggest 
such Hmitations. 
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7. Claim 3 additionally recites the limitations that; "The system as recited in claim 1, 
wherein the analysis engine is further configured to use expected activity level in the directory to 
determine the suspicion value.". The teachings of Porras et al (col. l,lines 34-col. 2,line 65, col. 
3,Hnes 30-40,54-62, col. 6,lines 1-57, col. 8,lines 37-col. 9,line 6, col. 10,Hnes 39-45, col. 
12,lines 8-col. 13,line 23) suggest such limitations. 

8. Claim 4 additionally recites the limitations that; "The system as recited in claim 1, 
further comprising a second sensor for collecting information including events and timestamps 
from a second logfile.". The teachings of Porras et al (col. 1, lines 34-col. 2,line 65, col, 5,lines 
63-coL 6,line 13, col. 7,lines 55-66) suggest such limitations. 

9. Claim 5 additionally recites the limitations that; "The system as recited in claim 4, 
wherein the analysis engine is configured to correlate a time step in the logfile with an event in 
the second logfile.". The teachings of Porras et al (col. 1, lines 34-coL 2,line 65, col. 5,lines 63- 
col. 6,line 13, col. 6,line 58-col. 7,line 8, col. 8,lines 37-col. 9,line 6) suggest such limitations. 

10. Claim 6 additionally recites the limitations that; "The system as recited in claim 1, 
wherein the analysis engine is further configured to filter out expected time steps fi'om further 
analysis.". The teachings of Porras et al (col. 1, lines 34-col. 2,line 65, col. 6,line 58-col. 7,line 8, 
col. 8,lines 37-col. 9,line 6) suggest such limitations. 
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11. Claim 7 additionally recites the limitations that; "The system as recited in claim 6, 
wherein the analysis engine is configured to filter out expected backward time steps by 
correlating them to Network Time Protocol adjustments.". The teachings of Porras et al (col. 
3,lines 30-40, col. 6,lines 38-57) suggest such limitations. 

12. Claim 8 additionally recites the limitations that; "The system as recited in claim 6, 
wherein the analysis engine is fiirther configured to compute an expected time drift resulting 
fi-om a Network Time Protocol adjustment, and compare a forward time step in the logfile with 
the expected time .drift.". The teachings of Porras et al (col. 3,lines 30-40, col. 6,lines 38-57) 
suggest such limitations. 

13. Claim 9 additionally recites the limitations that; "The system as recited in claim 8, 
wherein the analysis engine is further configured to compute a standard deviation of the expected 
time drift.". The teachings of Porras et al (col. 3,lines 30-40, col. 6,lines 38-57, col. 8,lines 37- 
67) suggest such limitations. 

14. Claim 10 additionally recites the limitations that; "The system as recited in claim 9, 
wherein the analysis engine is fiirther configured to label time steps with weighted 
distributions.". The teachings of Porras et al (col. 3,lines 30-40, col. 6,lines 38-57, col. 8,lines 
37-67) suggest such limitations. 
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15. Claim 1 1 additionally recites the limitations that; "The system as recited in claim 1, 
further comprising a user interface, and wherein the analysis engine is configured, upon 
correlating a time step to a record of an event in a logfile, to present the record to a user for 
labeling as to suspicion value.". The teachings of Porras et al (col. 7,lines 19-32, col 9,lines 13- 
20) suggest such limitations. 

16. Claim 12 additionally recites the limitations that; "The system as recited in claim 11, 
wherein the analysis engine is further configured to propagate the suspicion value to related 
events. The teachings of Porras et al (col 6,lines 27-32, col 7,lines 19-32,56-67, col 9,lines 13- 
20, col 10,lines 65-67) suggest such limitations. 

17. As per claim 16, this claim is the method claim for limitations from the apparatus claim 1 
. above, and is rejected for the same reasons provided for the claim 1 rejection. 

And further as per claim 17, this claim is an embodied software claim for limitations 
from the method claim 16 above, and is rejected for the same reasons provided for the claim 16 
rejection. 

The teachings of Porras et al suggest the base claims limitations (see "As per claim 1, . . . 
16, ...17, ... Claim 2, ...3, ...4, ...11, .12 additionally recites th^ limitations ..." paragraphs 
above) without explicitly teaching of". . . identify a backward time step in the logfile by 
identifying a first entry for which an associated first log entry time is earlier in time than a 
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second log entry log entry time associated with a second log entry entered in the log prior to the 
first entry ..." for the event log timestamps processing. 

Beardsley et al, teaches of using time stamps to correlate data processing event times in 
connected data processing units (i.e., relative skewed clock or time tagged log entry correction 
upon found discrepancies in said time tags; Beardsley et al figures 1-8 and associated 
descriptions). The Beardsley et al invention also clearly encompasses the logging of detected 
intrusions on a host aspects on a host system. 

Thus, it would have been obvious to a person of ordinary skill in the art at the time of the 
invention to have been motivated to combine the Porras et al system for 

detecting/logging/analysis thereof, and intrusions on a host, with the Beardsley et al teachings of 
using time stamps to correlate data processing event times in connected data processing units in 
order to provide the detecting/logging/analysis system with a more robust log analysis capability. 

Such motivation to combine would clearly encompass the need to allow "solving and 
recovering fi-om error conditions ... in identification of reasons for peripheral subsystem and 
data processing system failures [i.e., intrusion detection per se, and the results thereof]. . . .it is 
critical that data processing events, . . . preceding a data processing failure event be quickly and 
easily identified. Such identification has been difficuh because there is no time correlation of 
error logs kept in a subsystem and error logs kept in a host processor relating to such data 
processing events. ..." (i.e., Beardsley et al col. l,lines 36-53). 
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Conclusion 

18. Any inquiry concerning this communication or earlier communications from examiner 
should be directed to Ronald Baum, whose telephone number is (571) 272-3861, and whose 
unofficial Fax number is (571) 273-3861. The examiner can normally be reached Monday 
through Thursday from 8:00 AM to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Ayaz Sheikh, can be reached at (571) 272-3795. The Fax number for the organization 
where this application is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. For more information for 
unpublished applications is available through Private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov . Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Ronald Baum 
Patent Examiner 
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